Current axios version contains CSRF vulnerability. #3369

iSpyte · 2024-05-04T13:49:48Z

The FAQ doesn't contain a resolution to my issue

Versions

mineflayer: <= 4.20.1
server: vanilla/spigot/paper Any
node: 20.12.2 (but I haven't tested any other versions)

Detailed description of a problem

Wanted to get this out as I haven't seen any issue posts about this recently.

When installing mineflayer using npm, npm states that it found 5 vulnerabilities after install. Upon entering npm audit it appears that the current version of the library Axios contains a Cross-Site Request Forgery vulnerability which is detailed in the links below. I should note it has now been patched in any version beyond 1.6.0. Current Axios version used by mineflayer is 0.21.4.

Github advisory:
GHSA-wf5p-g6vw-rhxx

Axios issue post
axios/axios#6022

CSRF Definition:
https://owasp.org/www-community/attacks/csrf

Additional context

The versions of axios affected are any below 1.6.0. Also using npm audit fix with or without --force doesn't fix the issue.

The text was updated successfully, but these errors were encountered:

extremeheat · 2024-05-04T15:16:37Z

See PrismarineJS/prismarine-auth#86

iSpyte added possible bug Stage1 just created by someone new to the project, we don't know yet if it deserves an implementation / a f labels May 4, 2024

extremeheat closed this as completed May 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Current axios version contains CSRF vulnerability. #3369

Current axios version contains CSRF vulnerability. #3369

iSpyte commented May 4, 2024 •

edited

extremeheat commented May 4, 2024

Current axios version contains CSRF vulnerability. #3369

Current axios version contains CSRF vulnerability. #3369

Comments

iSpyte commented May 4, 2024 • edited

Versions

Detailed description of a problem

Additional context

extremeheat commented May 4, 2024

iSpyte commented May 4, 2024 •

edited